October 21, 2009, 5:00 pm
Several vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems:
Missing input validation on a user supplied map queryfile name can be used by an attacker to check for the existence of a specific file by using the queryfile GET parameter and checking for differences in error messages.
A lack of file type verification when parsing a map file can lead to partial disclosure of content from arbitrary files through parser error messages...